Many thanks for posting this! Only the other day I was evaluating Noir for a webapp and the lack of a capable user auth capability was the main blocker...
Apart from the REST argument, the best single reason I can come up with to justify changing these to use POST is that otherwise it's possible to cancel an email change or resend a confirmation of a logged in user by having him load a page containing an image tag like <img src="url-to-cancel-email-change" /> . This is the same reason for which noir-auth-app handles logouts through POST instead of GET. Not really dangerous I guess, annoying at most, but worth to fix it anyway.
By the way, in twitter.com (and I guess a lot of other not so popular websites) these are handled as GETs, and so they're subject to this kind of "attacks".
I suppose these particular paths aren't as exploitable as a logout (which isn't a GET on Twitter, either, it seems), but what about, e.g., Chrome's link prefetching? I'm not sure how it would know not to prefetch, for instance, the "cancel email confirmation" link.
Anyway, I'm teaching myself Clojure right now and this looks like great sample code to study, so thank you for sharing it.
SQL in Clojure looks very much like you are used to in other languages. Take a look at either the Clojure JDBC wrapper library or Korma for more syntactic sugar and composing SQL fragments:
11 comments
[ 5.2 ms ] story [ 39.5 ms ] threadFor example, heres a Noir app I wrote using bcrypt and Redis to store the data.
User model: https://github.com/dmix/documeds/blob/master/src/documeds/mo... (most of the model code is redis interface code)
Login / Signup views: https://github.com/dmix/documeds/blob/master/src/documeds/vi...
Apart from the REST argument, the best single reason I can come up with to justify changing these to use POST is that otherwise it's possible to cancel an email change or resend a confirmation of a logged in user by having him load a page containing an image tag like <img src="url-to-cancel-email-change" /> . This is the same reason for which noir-auth-app handles logouts through POST instead of GET. Not really dangerous I guess, annoying at most, but worth to fix it anyway.
By the way, in twitter.com (and I guess a lot of other not so popular websites) these are handled as GETs, and so they're subject to this kind of "attacks".
Thanks for raising the issue.
Anyway, I'm teaching myself Clojure right now and this looks like great sample code to study, so thank you for sharing it.
https://developers.google.com/chrome/whitepapers/prerender
but Firefox does
https://developer.mozilla.org/en-US/docs/Link_prefetching_FA...
So, using HTTPS could be a way to avoid prefetching, but it would not always work.
In any case, I've already committed the changes that you suggested, so now noir-auth-app is free from these problems.
https://github.com/clojure/java.jdbc/ http://sqlkorma.com/
There is also the Friend authentication library that you might want to take a look at:
https://github.com/cemerick/friend
One question, why not use ensureIndex ? is there a real performance running it once it's created?
https://github.com/xavi/noir-auth-app/blob/master/src/noir_a...
which in turn calls ensureIndex in the underlying Java driver, see https://github.com/aboekhoff/congomongo/blob/master/src/somn...